US5495532A  Secure electronic voting using partially compatible homomorphisms  Google Patents
Secure electronic voting using partially compatible homomorphisms Download PDFInfo
 Publication number
 US5495532A US5495532A US08293363 US29336394A US5495532A US 5495532 A US5495532 A US 5495532A US 08293363 US08293363 US 08293363 US 29336394 A US29336394 A US 29336394A US 5495532 A US5495532 A US 5495532A
 Authority
 US
 Grant status
 Grant
 Patent type
 Prior art keywords
 sup
 means
 voting
 vote
 secure electronic
 Prior art date
 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
 Expired  Lifetime
Links
Images
Classifications

 G—PHYSICS
 G07—CHECKINGDEVICES
 G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
 G07C13/00—Voting apparatus

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication involving homomorphic encryption

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials
 H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, nonrepudiation, key authentication or verification of credentials using proof of knowledge, e.g. FiatShamir, GQ, Schnorr, ornoninteractive zeroknowledge proofs

 G—PHYSICS
 G06—COMPUTING; CALCULATING; COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
 G06F7/60—Methods or arrangements for performing computations using a digital nondenominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and nondenominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
 G06F7/72—Methods or arrangements for performing computations using a digital nondenominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and nondenominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
 G06F7/724—Finite field arithmetic
 G06F7/725—Finite field arithmetic over elliptic curves

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
 H04L2209/46—Secure multiparty computation, e.g. millionaire problem
 H04L2209/463—Electronic voting
Abstract
Description
The present invention relates to method and apparatus useful for secure electronic voting and specifically, to numbertheoretic based algorithms for secure electronic voting. Quite specifically, the algorithms are based on families of homomorphic encryptions having a partial compatibility property.
Secure electronic voting is one of the most important single applications of secure multiparty computation. Yet despite extensive work on this subject, no complete solution has been found in either the theoretical or practical domains. Even the general solutions to secure multiparty protocols fail to exhibit all of the desired properties of elections. For example, an article by J. C. Benaloh et al, entitled "Receiptfree Secretballot Election," in STOC 94, pp. 544553 (1994) describes the receiptfree property. While these general solutions do have a wide breadth of security properties, and some hope of rigorous analysis, they are impractical both in their computational and communication costs.
A number of more practical voting protocols have been proposed, with widely differing security properties. Schemes based on anonymous channels/mixers have become very popular due to their superior efficiency and the arbitrary nature of the votes that are allowed. Such schemes are described in an article by D. Chaum entitled "Untraceable Electronic Mail, Return Address, and Digital Pseudonyms" in Communication of the ACM, ACM, 1981, pp 84 to 88, in an article by A. Fujioka et al, entitled "A Practical Secret Voting Scheme for Large Scale Elections," in Advances in CryptologyAuscyrpt '92, 1992, pp. 244 to 251, and in an article by C. Park et al, entitled "Efficient Anonymous Channel and All/Nothing Election Scheme" in Advances in Cryptology, Eurocrypt '93, 1993, pp. 248 to 259. However, a price is paid for this efficiency. The simplest of these schemes does not allow a voter to securely protest the omission of a vote without allowing a malicious voter to block the election. In all the schemes known to the inventors there is a high round complexityone round for each mixer used to implement the anonymous channel. Also, after the election each voter is typically responsible for checking that their vote was correctly tallied. There is usually no way for an outside observer to later verify that the election was properly performed. Another approach is the use of number theoretic techniques without anonymous channels or mixers. The protocol has desirable security properties, but as discussed below in detail, their communication complexity is quite high for realistic scenarios. Such techniques are described in an article by J. Benaloh and M. Yung entitled "Distributing the Power of a Government to Enhance the Privacy of Voters" in ACM Symposium on Principles of Distributed Computing, 1986, pp. 52 to 62, in a Ph.D. thesis by J. Benaloh entitled "Verifiable SecretBallot Elections" Ph.D. thesis Yale University 1987 Yaleu/DCS/TR561, and in an article by J. Cohen et al entitled "A Robust and Verifiable Cryptographically Secure Election Scheme", in FOCS85, 1985, pp. 372 to 382.
The protocol of Benaloh and Yung enjoys most of the desirable security properties obtained in the present invention, and is based on partially compatible homomorphisms of the form E_{i} (x)=y_{i} ^{x} ·g_{i} ^{r} mod n_{i}. The technical advances made by the present invention include:
Greater generality: The encryption used by Benaloh and Yung was tuned to the factoring problem. Each center i had the prime factorization of n_{i} as part of its secret information. This secret information complicated the protocol in that the voters needed to verify the correctness of the centers' public information and the correctness of their subtallies through interactive protocols. Also, the present invention can be applied to "discretelog type" problems.
Amortization techniques: Unlike most previous work in voting, the present invention considers how to run multiple elections more efficiently. Since there are usually many voters and checking each vote involves many subchecks, amortization techniques can be effectively used to speed up single elections as well.
Improved zeroknowledge proofs: Direct and efficient protocols show, for example, that x+y is either 1 or 1, without conveying which is the case. These proofs are more efficient than the cryptographic capsule methods used in the prior art.
Also, the present invention incorporates techniques, such as the FiatShamir heuristic for removing interaction, that were not available at the time of Benaloh and Yung. Some of these techniques can also be applied to the original protocol (with varying degrees of difficulty and utility). By using more modern techniques the present invention realizes the basic approach laid out by Benaloh and Yung, but with greatly improved efficiency.
In accordance with the teaching of the present invention, a numbertheoretic method for secure electronic voting provides a number of features including moderate communication cost, low round complexity, preprocessing potential, security, universal verifiability and flexibility, all as described below.
The idea of secure electronic, voting is to enable secret votes to be performed electronically where the votes of individual voters are unknown and where the election results are tamperproof without the collusion of many counting centers. The present invention relies upon a novel mathematical method to encode votes for verification by breaking up the vote into shares which are supplied to different counting centers. Moreover, the ballots can be preprocessed for verification, but the ultimate vote decision can be delayed until the time of actual voting. The method used permits authentication of multiple ballots efficiently. In addition, the method is readily embodied using currently available PCs or workstations and conventional electronic bulletin boards.
The present invention requires much less communication cost than the previous numbertheoretic protocols. For one realistic setting of the parameters, it is estimated that present invention conservatively requires less than 1/20th the communication of BenalohYung's scheme. Furthermore, when more than one election is to be held, it is possible to use an amortization technique that will boost the pervote advantage to a factor of between 150 and 250. It should be noted however that the communication complexity of each vote remains much greater than that required by the anonymous channel/mixerbased protocols. However, it is well within the range of feasibility.
The present method enjoys an extremely low round complexity. Once the system has been set up, a voter can cast a vote in an election simply by posting single message. The counting process comprises each counting center posting single, very short message.
Ideally, one would like to do the bulk of the communication and computation in advance of an actual vote. In the present method, it is possible to preprocess ones vote with a single message. This preprocessing step does not depend on the vote that is eventually cast, and may be done at the time the voter "registers" to vote. When it comes time to actually vote, the voter can often simply post a single bit (or a bit along with a small integer in the worst case). Thus even with the signatures needed for identification, the communication cost is negligible. Similarly, after preprocessing, a PC acting as a voting center can easily count a hundred incoming votes per second.
Under reasonable heuristic assumptions, no coalition of voters or centers can unfairly influence an election or significantly,delay its outcome. A voter keeps her vote private as long as two of the centers are honest. The two honest centers requirement can be reduced to a single honest center requirement by a simple doubling mechanism: each center simulates two centers of the original schemes.
While heuristic assumptions are used (such as the FiatShamir method for noninteractive proofs) the only attack known requires one to compute discretelogarithms over the group being worked in. Thus, it is possible to use elliptic curves fox which the discretelog problem is currently thought to be much harder than factoring. Previous numbertheoretic approaches were based on the rth residue problem over Z_{n} *, and are guaranteed breakable if one can factor n.
Every action by a voter, whether preprocessing a vote or actually voting, is accompanied by a proof that the ballot is correctly constructed. The output of the counting center may also be easily checked for correctness. Any participant can verify that everyone else's vote has been included in the tally. Once a party posts a message, it does not need to cooperate in the checking of its work. The checking of the election can be distributed over many parties, and if someone is still not satisfied they may check the results themselves. Thus, a voter has the option of minimally participating in an election by simply sending in their vote and then ceasing all involvement.
The present invention is readily adaptable to different situations. For example, the number of centers can be made quite large. Voters may choose their own security/efficiency tradeoff and individually choose how many and which centers they use. Thus, it is possible to practically support an election in which there are a 100 centers of which a typical voter chooses 10 and is protected as long as two of them are honest. For large elections it is possible to construct hierarchical counting schemes.
The present invention provides a new tool: families of partially compatible homomorphic encryption functions. There are well known encryption functions with additive (E(x+y)=E(x)E(y) or multiplicative E(xy)=E(x)E(y) homomorphisms. These properties can be exploited to make very efficient zeroknowledge proofs, but they can also work against security. For example, suppose that one has E(x) and E(y) and wishes to know whether x+y is 1 or 1. If E is a function (as opposed to a probabilistic encryption) with an additive homomorphism then one can compute E(x+y) and check if it is equal to E(1) or E(1).
Benaloh and Yung in their article entitled "Distributing the Power of a Government to Enchance the Privacy of Voters" in ACM Symposium on Principles of Distributed Computing, 1986, pages 52 to 62. circumvent this difficulty by using a family of probabilistic encryption functions, {E_{1}, . . . , E_{n} }. Each E_{i} probabilistically encrypts an element x ε Z_{r}, where r is a moderately large prime independent of i. While each E_{i} satisfies E_{i} (x+y)=E_{i} (x)E_{i} (y), there is no obvious way of combining E_{i} (x) and E_{j} (y) to obtain an encryption of some simple function of x and y. A key requirement of their technique was that the encryptions E_{i} be probabilistic, a condition weakened in the formalism below.
The present invention considers a family of additive homomorphic, possibly deterministic encryption functions, {E_{1}, . . . , E_{n} }. Within this family there is a single group Z_{q} (where q is large) such that E_{i} (x+y)=E_{i} (x)E_{i} (y), where x,y ε Z_{q}. Thus, they are all basically compatible. However, it is required that for all (i,j) the following two distributions are computationally indistinguishable:
1(E_{i} (x),E_{j} (y)), where x and y are chosen uniformly from Z_{q}, and
2. (E_{i} (x),E_{i} (x)), where x is chosen uniformly from Z_{q}.
This implies that for any v, (E_{i} (x),E_{j} (vx)) is indistinguishable from (E_{i} (x), E_{j} (y)). Thus, if x and y are chosen uniformly such that x+y=v, then knowing (E_{i} (x),E_{j} (y)) does not reveal anything about v. Similarly, if x_{1}, . . . , x_{n} are chosen uniformly to stun to v, then knowing n2 of the values {x_{1}, . . . , x_{n} } reveals nothing about v.
Such families of called encryption functions with this property partially compatible homomorphic encryption functions. Reduction of the existence of such families to any wellknown algebraic assumption is unknown. However, there are a number of candidates for such a family of encryption functions. For example, let primes p_{i} =k_{i} q+1, where q is a prime, let g_{i} be a randomly (or pseudorandomly) chosen generator for Z_{pi} ^{*} and let α_{i} =g_{i} ^{k}.sbsp.i. If E_{i} (x)=α_{i} ^{x} then there is no way of obtaining any information about x_{1} +x_{2} given E_{1} (x_{1}) and E_{2} (x_{2}) without computing discrete logarithms. The only weakness of the method is that if p_{1} =p_{2} and l is such that α_{2} =α_{1} ^{l} is known, then one can compute E_{1} (x_{1} +x_{2})^{l} =E_{1} (x_{1})_{L} E_{2} (x_{2}), which allows one to determine if x_{1} +x_{2} is equal to a given number. No such attack is known when p_{1} ≠p_{2}.
It is also possible to incorporate encryption functions based on elliptic curves or other groups. Furthermore, it is possible to mix arbitrarily which types of groups are used. For ease of description, multiplicative notation for the cyclic group generated by α_{i} will be used, regardless if the group is normally treated as multiplicative or additive.
Using these families of partially compatible homomorphic encryption functions, very efficient interactive proofs for assertions are constructed such as:
x_{1} + . . . +x_{n} =a+b, given the encryptions for these values, and
x+y ε{1,1}, given the encryptions for x and y.
Because of the efficiency of these proofs, it can be run many times, and used with the heuristic of FiatShamir described in an article entitled "How to Prove Yourself: Practical solution to identification and signature problems" in Advances in CryptologyCrypto '86, SpringerVerlag, 1986, pp. 186 to 199 to make them noninteractive.
The improved proof methods bring the complexity of the numbertheoretic techniques to the point where they can be used by a personal computer (PC) that can post messages to a bulletin board as will be described below. However, when very strong confidence parameters are used (2^{40} or even 2^{60} error rates are recommended when using the FiatShamir heuristic) and the voter is allowed to protect the vote by using many (e.g., 10) of the available centers, the costs are at the outer margin of usability. Hence, the invention develops methods for making these burdens easier to bear.
By allowing nearly all of the work to be done in advance of any election, the computational and communication burden can be amortized over a much larger period of time and still result in having very fast elections. To lower the computational burden of a proof, table lookup techniques are used to reduce the number of group operations required. Finally, a voter can process many votes using much less communication and computation than would be required to process the votes individually.
The use of amortization in cryptography is not new. Kurosawa and Tsujii in an article entitled "Multilanguage Zero Knowledge Interactive Proof Systems" in Advances in CryptologyCrypto '90 (1991) pp. 339 to 352, construct a zeroknowledge proof for two assertions that is more efficient than simply concatenating the zeroknowledge proofs for each assertion. Boyar, Brassard and Peralta in an article entitled "Subquadratic ZeroKnowledge" in FOCS 91 (1991) pages 69 to 78, and Kilian in an article entitled "A Note on Efficient Zeroknowledge Proofs and Arguments" in STOC92 (1992) pages 722 to 732, consider the problem of achieving ultrahigh confidence zeroknowledge proofs for NP using less communication than is required by simple sequential repetition. Franklin and Yung in an article entitled "Communication Complexity of Secure Computation" in STOC92 (1992) pages 699 to 710, show how to implement k instances of a secure multiparty computation much less expensively than k times the cost of a single secure computation.
The present invention therefore provides a method and apparatus for secure electronic voting using partially compatible homomorphisms which is more efficient than the heretofore known methods.
The invention will be more clearly understood when the following description is read in conjunction with the accompanying drawing.
FIG. 1 is an algorithm useful for proving the validity for shares;
FIG. 2 is an algorithm useful for proving summation assertions;
FIG. 3 is an algorithm of the electronic scheme comprising the present invention;
FIG. 4 is a schematic illustration of a preferred embodiment for practicing the invention;
FIG. 5 is a schematic illustration of a vote constructor;
FIG. 6 is a schematic illustration of a vote inverter;
FIG. 7 is a schematic illustration of a ballot checker;
FIG. 8 is a schematic illustration of a multiplevote constructor;
FIG. 9 is a schematic illustration of a multiplevote ballot checker; and
FIG. 10 illustrates the voting process in FIG. 3.
The basic voting scheme comprising the present invention will now be described. For simplicity, assume that there are only two centers counting the votes, and that a single yes/no vote is being held. It will be apparent to those skilled in the art that the invention is applicable to situations with many, for example tens, vote counting centers. The basic method does not protect privacy of a vote against the center. This problem will be overcome as described below when more than two centers are involved.
The two centers are denoted by C_{1} and C_{2}. Each vote v will be broken into shares x_{1} and x_{2}, where x_{i} is a member of Z_{q}, and q is a prime. Before being posted, each share x_{i} is encrypted using encryption function E_{i}, where {E_{i},E_{2} } form a family of partially compatible homomorphic encryption functions.
As part of the setup process, which need only be done once for all time, the parties agree on {E_{1},E_{2} }. Note that with implementations based on discretelog functions, there is no trapdoor information that need be kept hidden. Thus, for example, a few bits from some global source can be fed into a pseudorandom bit generator and these random bits could be used to choose the moduli and generators needed to specify the desired functions. Heuristically, anyone can provide the seed to the pseudorandom generator, and it is unlikely that the seed will make the output a weak set of functions.
Along with setting up the family of encryption functions, assume that basic primitives such as publickey cryptography and secure bitstring commitment have already been established. Let H(x) denote a possibly probabilistic hash function that commits the sender to x without giving away any useful information about x.
The basic election procedure is performed in three stages: vote preparation, vote casting and vote counting.
Each voter i chooses a vote v_{i}, 1 for a yesvote and 1 for a novote. The voter uniformly generates x_{i}.sup.(1) and x_{i}.sup.(2) such that
x.sub.i.sup.(1) +x.sub.i.sup.(2) =v.sub.i mod q.
The voter then posts E_{1} (x_{i}.sup.(1))=α_{1} ^{x}.sbsp.i.spsp.(1) and E_{2} (x_{i}.sup.(2))=α_{2} ^{x}.sbsp.i.spsp.(2) and proves x_{i}.sup.(1) +x_{i}.sup.(2) ε{1,1} without disclosing x_{i}.sup.(1), x_{i}.sup.(2) nor v_{i}.
Each voter i encrypts x_{i}.sup.(1) and x_{i}.sup.(2) using the public keys of C_{1} and C_{2} respectively. Each center j computes E_{j} (x_{i}.sup.(j)) and checks that it agrees with the previously posted value.
Each center j sums up x_{i}.sup.(j) modulo q for all voters i and posts subtally,t_{j}. Each voter verifies that ##EQU1## and computes T=t_{1} +t_{2}, which is equal to the number of "yes" votes minus the number of "no" votes.
Referring to FIG. 1 there is shown a simple algorithm, referred to as prove±1, for proving validity of shares, namely that x_{1} +x_{2} ε{1,1} mod q given E_{1} (x_{1}) and E_{2} (x_{2}). The algorithm is a method by which a verifier proves that when the halves of the votes are combined, the result is a wellformed vote. No information regarding the actual vote is revealed by the method.
Each execution of the algorithm in FIG. 1 will catch a cheating prover with probability 1/2. Note that the distribution of (Y_{1}, Y_{2}) is easy to simulate given (E_{1} (x_{1}),E_{2} (x_{2})). Indeed, if R is a perfect zeroknowledge bit commitment then the algorithm is perfect zeroknowledge. Also note that a conceptually more simple algorithm would have the prover reveal s(x_{2} r) in Step 2b. The selected algorithm was chosen for its reduced communication complexity. Both s and t could also be eliminated by having the verifier check both possibilities, but this would save only 2 bits.
While this algorithm is given in terms of a verifier, a more round efficient solution is to use the FiatShamir method of eliminating interaction. First, the protocol is run many times (on the order of 40 or 60) in order to make the probability of withstanding all of the challenges vanishingly small. Then the verifier is replaced by a suitably "random looking" hash function which generates the challenges from the prover's posting in Step 1 of the protocol. If the prover is trying to prove an incorrect statement, then heuristically the prover's only strategy is to run different postings through the hash function until finding one whose challenges the prover can meet. However, the cost of this attack is prohibitive if the error probability is truly small (2^{40} or 2^{60}).
In the basic method described above, there were only two centers and a single yesno vote. However, in more practical scenarios a voter will want to divide the vote among as many centers as possible  the more centers the more private the vote. Also, a voter is likely to participate in many elections and a given election is likely to have many yes/no votes. For example, Benaloh supra points out that approval voting (where a voter may cast a vote for any number of the given candidates) is really just a case of several independent yes/no votes. The following describes how to split many votes over many centers with substantial amortized savings compared with preparing each vote separately.
For simplicity, assume that there are only n centers and that each voter will split their votes over all n centers. For each center i there is an encryption function E_{i} from this family. Following the basic scheme, the voter breaks the vote v ε {1, 1} into shares X.sup.(1), . . . , X.sup.(n) such that v=X.sup.(1) + . . . +X.sup.(n), and then proves that these shares are correctly constructed. The most straightforward solution is to adapt the algorithm prove±1 shown in FIG. 1 to handle more than two shares. Instead, the proof is broken into two stages. First, the prover randomly generates a, b such that v=a+b and proves that X.sup.(1) + . . . +X.sup.(n) =A+B. Then, the algorithm prove±1 in FIG. 1 is used to prove that v=a+b. This provides an opportunity to handle multiple votes efficiently as described below.
FIG. 2 is an algorithm, referred to as provesum, for reducing a sum of n encrypted shares to a sum of two shares. The voter has broken the vote into many encrypted shares and also split the vote into two encrypted halves. The provesum algorithm is a method by which a verifier proves that the many shares combine to give the same value as the two halves. No information regarding the actual vote is revealed by the method. The algorithm provesum is used in conjunction with the algorithm prove±1 to efficiently show that vote which has been broken into many shares can be combined into a wellformed vote.
Assume that the encryptions E_{i} (X.sup.(i)), E_{a} (A) and E_{b} (B) are known, and that
(E.sub.1, . . . ,E.sub.n, E.sub.a, E.sub.b)
is a family of partially compatible homomorphic encryptions with domain Z_{q}. If the summation assertion is not true, then in each iteration of the protocol the prover will fail a check with probability at least 1/2. As before, this error rate is lowered to a very small value by repeated repetition, and then the FiatShamir heuristic is used to make the proof noninteractive.
The bulk of computation and communication required for the full nparty scheme is taken up by the proof of the reduction to the 2share stun. By combining many of these proofs into a single proof, the voter can efficiently prepare many "yes/no" ballots at once with significant savings in the amortized computation and communication required.
Suppose that the voter wants to prove that the following equations hold. ##EQU2## and the values of E_{i} (X_{j}.sup.(i)), E_{a} (A_{j}) and E_{b} (B_{j}) are known for 1≦i≦n and 1≦j≦m. Let coefficients c_{1}, . . . , c_{m} ε Z_{q} be chosen at random, and consider the following linear equation: ##EQU3##
By a simple probability argument, the following facts hold:
1. If all of the original linear equations were true, then the new linear equation will also be true, and
2. If at least one of the original linear equations is false, then the new linear equation will be false with probability 11/q.
Thus, a proof of the new equation will suffice as a proof of all of the original equations.
It remains to show how to generate the encryptions for the new variables and how to choose the coefficients. The encryptions are given by ##EQU4##
One can view the c_{i} coefficients as challenges. As before, the FiatShamir scheme is used to generate the value c_{i} by a hash function of the original encryptions. Note that in this case, it is not necessary to perform the operation multiple times, since for a random setting of the coefficients an error in the original set of equations will result in an error in the final equation with all but vanishing probability. Indeed, for computational efficiency it suffices to choose c_{i} from {1 . . . 2^{60} }, which will greatly speed up the exponentiations.
FIG. 3 is an algorithm of the election method comprising the present invention as described above for the case of m votes distributed over n centers. In the precomputation stage, randomly generated votes are broken into encrypted shares. In the votecasting stage, the voters specify whether the random vote should be counted as given or be inverted, i.e. changed from a yes (1) to a no (1) or viceversa. In the vote counting stage, the voting centers count their shares of the vote and post the subtallies. The subtallies do not provide any information for any subset of the voters. The subtallies are then combined together to determine the final vote. At each step of the algorithm, information is provided to allow voters and (possibly future) outside observers to verify the correctness of each step.
An estimate of the communication cost of the present invention will be calculated. While it will be apparent to those skilled in the art that there are many possible variations of the present invention, a good understanding of their complexity can be had by analyzing the cost of splitting a vote into encrypted shares and proving that the shares are well formed.
A number of security parameters are involved in this analysis. First, assume that the encryption functions are based on modular exponentiation over Z_{pi} ^{*}, and let k be an upper bound on the length of p_{i} (if different moduli are used, then they will not be exactly the same size). Let h be the output of the hash function H used for commitments and let l be the security parameter that effectively denotes how many times the proofs are run.
Consider the most general case of splitting m votes to n centers. Note that for m large, a higher amortized efficiency is achieved due to the method used. Not counting the cost of the proof, representing these pieces along with the additional 2 shares used in the reduction requires (n+2)km bits. The cost of proving the correctness of the combined equation [2(n+2)k+(n+1)h]l bits. At this point, the voter has proved that each set of n shares representing a vote is equal to the two auxiliary shares. The proof that the two auxiliary shares sum to 1 or 1 costs [3k+h]lm bits. The cost of revealing these shares to the proper counting authorities is approximately nkm bits. Altogether, this gives a total of 2(n+1)mk+[(2n+2)k+(n+1)h+(3k+h)m]l bits. Some of the resulting numbers are shown in Table 1. If "center doubling" is used so as to require only one good center instead of two, then the costs are all doubled.
TABLE 1______________________________________ 1 vote, 1 vote, 100 votes, l = 40 l = 20 l = 40______________________________________Proposed Scheme 56K bytes 28K bytes 1M bytes 2.5 min. 1.5 min 58 min.Benaloh & Yung 4M bytes 1M bytes 400M bytes(1000 voters) 11 min 3 min 19 hrs______________________________________ All with n = 10 centers.
An approximate estimate computation cost for the voters is described below. In accordance with the invention, the costly computations are mainly modular multiplication and modular exponentiation. Note that many modular exponentiations with the same base are being performed. This fact can be exploited by computing lookup tables that will reduce the number of multiplications required by the exponentiations. For example, it is possible to precompute α_{j} ^{i} for all i's that are powers of 2. This will reduce the average number of multiplications needed to compute α_{x} mod p from 3/2k, to 1/2k, requiring a table size of (n+2)k^{2} bits. Using a more sophisticated table can result in further factor of 3 for the typical number ranges.
Again consider the case of splitting m votes into n shares each. Splitting m votes to mn pieces requires 1/2(n+2)km multiplications. A total of 1/2(n+2)kl multiplications are needed for proving the reduction to the the reduced 2share representation of a vote. A product of klm multiplications are needed to complete the proof that the votes are well formed. Verifying the subtallies of each center requires (1/2k+[# of voters])nm modular multiplications
Altogether, the method requires approximately
1/2[(2n+2+2l)m+)n+2)l]k+]# of voters]nm
modular multiplications. A PC running at 33 MHz can executes 768 multiplications in a second. Based on this, some of the resulting numbers are shown in Table 1.
Note that these figures are only approximate. However, the cost of the other modular addition or such operations as computing hash functions is comparatively negligible.
An approximate estimate of the computation cost needed for verification will now be described. Again, k is the length of p, and l is a security parameter which determines maximum probability of cheating. The value c is the length of coefficients used in the method which can be set small. Also, modular exponentiation can exploit the previously mentioned table lookup techniques.
Consider the case of splitting m votes into n shares each. The total 1/2(n+2)c(m1) multiplications are needed for generating the encryption of the shares, including their representation. The total 1/2(n+2)(k+1)l multiplications are needed to verify that the combined equation is correct. The total (k+1)lm multiplications are needed to complete the proofs that the shares are well formed. Altogether, this yields 1/2[((n+2)c+2l(k1))m+(n+2)(kllc)] modular multiplications for each voter.
This number can be reduced by using techniques for verifying many modular exponentiations, resulting in a factor of 4 improvement over actually computing the exponentiations.
The work of Benaloh and Yung gave the first scheme where votes are divided into pieces and the verifiable subtally yields total outcome of voting. However, their scheme suffers from large communication complexity and seems not yet practical for implementation on existing networks. One of the reasons they need large communication complexity is that each centers i generate secret prime factors of their public key N_{i}. Therefore the scheme involves an interactive protocol to detect possible cheating at the setting of the public keys, together with an interactive protocol to show detected cheat was not due to a malicious voter. Also, since extra information of subtally may reveal these secret primes, an interactive protocol was necessary to prove the correctness of subtally. For the above reasons, their protocol needed (4l^{2} +5l+2)kn bits for communication, where k is the size of the public keys of the n centers, and l is a security parameter.
The computation complexity is rather small for each iteration of their scheme, since the computation is based on y^{e} x^{r} mod where e and r are much smaller than n. However, since this interactive proof takes place many times, the total cost does not remain so small. An estimate their total computation assuming that they use the same step of constructing a table of y^{i} mod n_{j} that requires nrk bits. Then, there will be 3(l^{2} +3l+1)lg rn+2(l^{2} +L+1)n+[# of voters]n bit modular multiplication in total, where k is the size of public keys of the n centers, r determines number of voters and l is a security parameter. An approximate numerical comparison is shown in Table 1.
Having described the method of practicing the present invention, preferred embodiments useful for practicing the invention will now be described.
FIG. 4 schematically illustrates a preferred embodiment for practicing the invention. The voters and vote counters use personal computers or workstations 10 connected to a conventional electronic bulletin board 12. All parties (voters, verifiers, counters and the like) to the voting process interact by posting messages to and sending messages from the bulletin board. Voters can also serve as vote counters. The personal computers either contain software to perform the method described above or alternatively contain in hardware or software embodiments of the elements described in FIGS. 5 to 9.
FIG. 5 illustrates a vote constructor. The vote constructor 14 generates shares 18 and encrypts the shams 20 for the vote from yes/no vote selection 16 using partially homomorphic encryption functions as described above. The vote constructor also encrypts the shares with the public key of the respective center C_{i} that will process the share. The vote constructor also produces a ballot authentication certificate by which anyone can verify that the encrypted shares combine to make a wellformed vote. The encrypted shares 20 and the certificate 22 are posted to the electronic bulletin board 12. The arrows to centers C_{i} merely specify who is able to decrypt the globally posted information.
FIG. 6 schematically illustrates a vote inverter for converting "yes" votes to "no" votes and "no" votes to "yes" votes. (liven a set of encrypted shares 20, inverter 24 produces a set of encrypted shares 26 for the inverted vote (indicated with the prime), likewise, given an unencrypted share 28, inverter 24 will produce an inverted unencrypted share 30. During the actual voting, the voter specifies whether the previously constructed vote should be inverted before counting or be counted as is. A counter must conform to the specification of the voter or be detected as not conforming to the voter specification by anyone who checks the vote. The inverter enables the preprocessing of a vote, perhaps at the time of registration, and then allows subsequent voting by either confirming the preprocessed vote or inverting the preprocessed vote. This system enables more efficient voting.
FIG. 7 schematically illustrates a ballot checker. The ballot checker 32 receives a set of encrypted shares 20 and the ballot authenticate certificate 22 and determines whether the encrypted shares can be combined to form a wellformed vote, thus indicating a valid or invalid vote.
FIG. 8 schematically illustrates a multiplevote constructor. In this case, a multiple yes/no vote selector 40 provides votes to a multiple vote constructor 42. The multiple vote constructor forms shares for each vote and encrypts the shares. Each encrypted vote is in the form of a ballot 44. A single multiple ballot authentication certificate 46 is provided for constructing all of the multiple votes.
FIG. 9 schematically illustrates a multiplevote ballot checker. A multiple ballot checker 48 checks a set of votes that were produced by the multiple vote constructor shown in FIG. 8. The checker 48 checks that a set of votes were produced by the multiplevote constructor using the encrypted shares 44 and the single multiple ballot authentication certificate 46. As described in conjunction with the ballot checker in FIG. 7, the checker 48 determines whether the shares can be combined to form wellformed votes, thus indicating a valid or invalid vote.
FIG. 10 graphically illustrates the voting process described in FIG. 3. Voter V cast votes "yes" or "no" as shown. The votes are broken into shares, encrypted and split among many centers C. The votes are checked with the certificates to provide proof that the votes were properly encrypted and distributed. The votes and centers verify the election. The centers combine their respective shares to form subtallies which are then combined together to yield the final election result.
While there has been described and illustrated a preferred method and apparatus of secure electronic voting, it will be apparent to those skilled in the art that variations and modifications are possible without deviating from the broad teachings and spirit of the present invention which shall be limited solely by the scope of the claims appended hereto.
Claims (28)
Priority Applications (1)
Application Number  Priority Date  Filing Date  Title 

US08293363 US5495532A (en)  19940819  19940819  Secure electronic voting using partially compatible homomorphisms 
Applications Claiming Priority (6)
Application Number  Priority Date  Filing Date  Title 

US08293363 US5495532A (en)  19940819  19940819  Secure electronic voting using partially compatible homomorphisms 
JP20493895A JPH0863533A (en)  19940819  19950810  Method and device for secured electronic voting using homomorphism having partial compatibility 
ES95112941T ES2156594T3 (en)  19940819  19950817  Method and apparatus for secure electronic voting. 
DE1995620714 DE69520714T2 (en)  19940819  19950817  Method and apparatus for secure electronic voting 
DE1995620714 DE69520714D1 (en)  19940819  19950817  Method and apparatus for securing electronic voting 
EP19950112941 EP0697776B1 (en)  19940819  19950817  Method and apparatus for secure electronic voting 
Publications (1)
Publication Number  Publication Date 

US5495532A true US5495532A (en)  19960227 
Family
ID=23128777
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

US08293363 Expired  Lifetime US5495532A (en)  19940819  19940819  Secure electronic voting using partially compatible homomorphisms 
Country Status (5)
Country  Link 

US (1)  US5495532A (en) 
EP (1)  EP0697776B1 (en) 
JP (1)  JPH0863533A (en) 
DE (2)  DE69520714D1 (en) 
ES (1)  ES2156594T3 (en) 
Cited By (53)
Publication number  Priority date  Publication date  Assignee  Title 

US5682430A (en) *  19950123  19971028  Nec Research Institute, Inc.  Secure anonymous message transfer and voting scheme 
US5758325A (en) *  19950621  19980526  Mark Voting Systems, Inc.  Electronic voting system that automatically returns to proper operating state after power outage 
US6021200A (en) *  19950915  20000201  Thomson Multimedia S.A.  System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption 
US6035041A (en) *  19970428  20000307  Certco, Inc.  Optimalresilience, proactive, publickey cryptographic system and method 
WO2000021041A1 (en)  19981006  20000413  Chavez Robert M  Digital elections network system with online voting and polling 
US6092051A (en) *  19950519  20000718  Nec Research Institute, Inc.  Secure receiptfree electronic voting 
WO2001020562A2 (en)  19990325  20010322  Votehere, Inc.  Multiway election method and apparatus 
US20010011351A1 (en) *  20000121  20010802  Nec Corporation  Anonymous participation authority management system 
US6330608B1 (en)  19970331  20011211  Stiles Inventions L.L.C.  Method and system of a computer system for establishing communications between a service provider and a central service factory and registry in a computer system 
US20020007457A1 (en) *  20000324  20020117  C. Andrew Neff  Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multiauthority elections 
US20020078358A1 (en) *  19990816  20020620  Neff C. Andrew  Electronic voting system 
US20020077887A1 (en) *  20001215  20020620  Ibm Corporation  Architecture for anonymous electronic voting using public key technologies 
US20020103696A1 (en) *  20010129  20020801  Huang Jong S.  System and method for highdensity interactive voting using a computer network 
US20020128978A1 (en) *  20000324  20020912  Neff C. Andrew  Detecting compromised ballots 
US20020138341A1 (en) *  20010320  20020926  Edward Rodriguez  Method and system for electronic voter registration and electronic voting over a network 
US20030028423A1 (en) *  20000324  20030206  Neff C. Andrew  Detecting compromised ballots 
US20030034393A1 (en) *  20001120  20030220  Chung Kevin KwongTai  Electronic voting apparatus, system and method 
US20030046144A1 (en) *  20010828  20030306  International Business Machines Corporation  System and method for anonymous message forwarding and anonymous voting 
US20030062408A1 (en) *  20011002  20030403  Barmettler James W.  Voting ballot, voting machine, and associated methods 
US6550675B2 (en)  19980902  20030422  Diversified Dynamics, Inc.  Direct vote recording system 
US20040117649A1 (en) *  20010427  20040617  William Whyte  System and method for processing a shared secret 
US6817515B2 (en) *  20010425  20041116  Level 3 Communications, Inc.  Verifiable voting 
US6834272B1 (en) *  19990810  20041221  Yeda Research And Development Company Ltd.  Privacy preserving negotiation and computation 
US20050021479A1 (en) *  20011212  20050127  Jorba Andreu Riera  Secure remote electronic voting system and cryptographic protocols and computer programs employed 
US20050028009A1 (en) *  20010324  20050203  Neff C Andrew  Verifiable secret shuffles and their application to electronic voting 
US20050049082A1 (en) *  19980318  20050303  Callaway Golf Company  Golf ball 
US6865543B2 (en) *  20010309  20050308  Truvote, Inc.  Vote certification, validation and verification method and apparatus 
US20050160272A1 (en) *  19991028  20050721  Timecertain, Llc  System and method for providing trusted time in content of digital data files 
US20050269406A1 (en) *  20040607  20051208  Neff C A  Cryptographic systems and methods, including practical high certainty intent verification, such as for encrypted votes in an electronic election 
US20060000904A1 (en) *  20040630  20060105  France Telecom  Method and system for electronic voting over a highsecurity network 
US20060085647A1 (en) *  20000324  20060420  Neff C A  Detecting compromised ballots 
US20060169778A1 (en) *  20001120  20060803  Chung Kevin K  Electronic voting apparatus, system and method 
US20060202031A1 (en) *  20011001  20060914  Chung Kevin K  Reader for an optically readable ballot 
US20060249578A1 (en) *  20050506  20061109  Fernando Morales  Method of confidential voting using personal voting codes 
US20060255145A1 (en) *  20011001  20061116  Chung Kevin K  Method for reading an optically readable sheet 
US20080010467A1 (en) *  20060706  20080110  Sap Ag  Privacypreserving concatenation of strings 
US20080019510A1 (en) *  20060706  20080124  Sap Ag  Privacypreserving substring creation 
US20080110985A1 (en) *  20061020  20080515  Barry Cohen  Electronic voting system 
US7389250B2 (en)  20000324  20080617  Demoxi, Inc.  Coercionfree voting scheme 
US20080172233A1 (en) *  20070116  20080717  Paris Smaragdis  System and Method for Recognizing Speech Securely 
US7422150B2 (en)  20001120  20080909  Avante International Technology, Inc.  Electronic voting apparatus, system and method 
US20090177591A1 (en) *  20071030  20090709  Christopher Thorpe  Zeroknowledge proofs in large trades 
US20090289115A1 (en) *  20080430  20091126  Kevin KwongTai Chung  Optically readable marking sheet and reading apparatus and method therefor 
US7635087B1 (en)  20011001  20091222  Avante International Technology, Inc.  Method for processing a machine readable ballot and ballot therefor 
US20090327141A1 (en) *  20070418  20091231  Rabin Michael O  Highly efficient secrecypreserving proofs of correctness of computation 
US20100185863A1 (en) *  20061201  20100722  Rabin Michael O  Method and apparatus for timelapse cryptography 
US20100252628A1 (en) *  20090407  20101007  Kevin KwongTai Chung  Manual recount process using digitally imaged ballots 
US20110010227A1 (en) *  20090708  20110113  Aulac Technologies Inc.  Antirigging Voting System and Its Software Design 
US20110089236A1 (en) *  20091021  20110421  Kevin KwongTai Chung  System and method for decoding an optically readable markable sheet and markable sheet therefor 
US20130170640A1 (en) *  20110429  20130704  International Business Machines Corporation  Fully Homomorphic Encryption 
US8840022B1 (en)  20130315  20140923  Election Systems & Software, Llc  System and method for decoding marks on a response sheet 
US20170085544A1 (en) *  20150828  20170323  ElectionEurope  Method of Security and Verifiability of an Electronic Vote 
US9742556B2 (en)  20150825  20170822  International Business Machines Corporation  Comparison and search operations of encrypted data 
Families Citing this family (4)
Publication number  Priority date  Publication date  Assignee  Title 

JP3233119B2 (en) *  19981228  20011126  日本電気株式会社  Receiptfree electronic voting method and apparatus 
CA2438985A1 (en) *  20010220  20020829  C. Andrew Neff  Detecting compromised ballots 
ES2367940B1 (en) *  20091204  20120927  Scytl Secure Electronic Voting, S.A.  Method for the verification of the correct registration information. 
CN102970143B (en) *  20121213  20150422  中国科学技术大学苏州研究院  Method for securely computing index of sum of held data of both parties by adopting addition homomorphic encryption 
Citations (1)
Publication number  Priority date  Publication date  Assignee  Title 

US5412727A (en) *  19940114  19950502  Drexler Technology Corporation  Antifraud voter registration and voting system using a data card 
Patent Citations (1)
Publication number  Priority date  Publication date  Assignee  Title 

US5412727A (en) *  19940114  19950502  Drexler Technology Corporation  Antifraud voter registration and voting system using a data card 
NonPatent Citations (22)
Title 

A. Fujioka et al, A Practical Secret Voting Scheme for Large Scale Elections, Advances in Cryptology Auscrypt 92, pp. 244 to 251. * 
A. Fujioka et al, A Practical Secret Voting Scheme for Large Scale Elections, Advances in CryptologyAuscrypt '92, pp. 244 to 251. 
Amos Fiat and Adi Shamir, How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in Cryptology Crypto 86, Springer Verlag, 1986, pp. 186 199. * 
Amos Fiat and Adi Shamir, How to Prove Yourself: Practical Solutions to Identification and Signature Problems. Advances in CryptologyCrypto '86, SpringerVerlag, 1986, pp. 186199. 
Choonsik Park, Kazutomo Itoh and Kaoru Kurosawa, Efficient Anonymous Channel and All/Nothing Election Scheme. EUROCRYPT 93, 1993, pp. 248 259. * 
Choonsik Park, Kazutomo Itoh and Kaoru Kurosawa, Efficient Anonymous Channel and All/Nothing Election Scheme. EUROCRYPT '93, 1993, pp. 248259. 
David Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, Communications of the ACM, vol. 24, No. 2, Feb. 1981. * 
J. Benaloh et al. Distributing the Power of a Government to Enhance the Privacy of Voters, ACM Symposium on Principles of Distributed Computing, 1986, pp. 52 to 62. * 
Joan Boyar, Gilles Brassard, Rene Peralta. Subquadratic Zero Knowledge, FOCS 91, 1991, pp. 69 78. * 
Joan Boyar, Gilles Brassard, Rene Peralta. Subquadratic ZeroKnowledge, FOCS 91, 1991, pp. 6978. 
Joe Kilian, A Note on Efficient Zero Knowledge Proofs and Arguments. STOC 92, 1992, pp. 722 732. * 
Joe Kilian, A Note on Efficient ZeroKnowledge Proofs and Arguments. STOC 92, 1992, pp. 722732. 
Josh C. Benaloh and Dwiht Tuinstra, Receipt Free Secret Ballot Elections. STOC 94, 1994, pp. 544 553. * 
Josh C. Benaloh and Dwiht Tuinstra, ReceiptFree SecretBallot Elections. STOC 94, 1994, pp. 544553. 
Josh D. Cohen and Michael J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme. FOCS85, 1985, pp. 372 382. * 
Josh D. Cohen and Michael J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme. FOCS85, 1985, pp. 372382. 
Josh Daniel Cohen Benaloh, Verifiable Secret Ballot Elections. PhD thesis, Yale University, 1987. YALEU/DCS/TR 561. * 
Josh Daniel Cohen Benaloh, Verifiable SecretBallot Elections. PhD thesis, Yale University, 1987. YALEU/DCS/TR561. 
Kaoru Kurosawa and Shigeo Tsujii, Multi Language Zero Knowledge Interactive Proof Systems, Advances in Cryptology Crypto 90, (1991), pp. 339 352. * 
Kaoru Kurosawa and Shigeo Tsujii, MultiLanguage Zero Knowledge Interactive Proof Systems, Advances in CryptologyCrypto '90, (1991), pp. 339352. 
Matthew Franklin and Moti Yung, Communication Complexity of Secure Computation. STOC 92, 1992, pp. 699 710. * 
Matthew Franklin and Moti Yung, Communication Complexity of Secure Computation. STOC 92, 1992, pp. 699710. 
Cited By (86)
Publication number  Priority date  Publication date  Assignee  Title 

US5682430A (en) *  19950123  19971028  Nec Research Institute, Inc.  Secure anonymous message transfer and voting scheme 
US6092051A (en) *  19950519  20000718  Nec Research Institute, Inc.  Secure receiptfree electronic voting 
US5758325A (en) *  19950621  19980526  Mark Voting Systems, Inc.  Electronic voting system that automatically returns to proper operating state after power outage 
US6021200A (en) *  19950915  20000201  Thomson Multimedia S.A.  System for the anonymous counting of information items for statistical purposes, especially in respect of operations in electronic voting or in periodic surveys of consumption 
US6330608B1 (en)  19970331  20011211  Stiles Inventions L.L.C.  Method and system of a computer system for establishing communications between a service provider and a central service factory and registry in a computer system 
US6035041A (en) *  19970428  20000307  Certco, Inc.  Optimalresilience, proactive, publickey cryptographic system and method 
US20050049082A1 (en) *  19980318  20050303  Callaway Golf Company  Golf ball 
US6550675B2 (en)  19980902  20030422  Diversified Dynamics, Inc.  Direct vote recording system 
WO2000021041A1 (en)  19981006  20000413  Chavez Robert M  Digital elections network system with online voting and polling 
WO2001020562A2 (en)  19990325  20010322  Votehere, Inc.  Multiway election method and apparatus 
WO2001020562A3 (en) *  19990325  20011018  Votehere Inc  Multiway election method and apparatus 
US6834272B1 (en) *  19990810  20041221  Yeda Research And Development Company Ltd.  Privacy preserving negotiation and computation 
US20020078358A1 (en) *  19990816  20020620  Neff C. Andrew  Electronic voting system 
US20050160272A1 (en) *  19991028  20050721  Timecertain, Llc  System and method for providing trusted time in content of digital data files 
US7117368B2 (en) *  20000121  20061003  Nec Corporation  Anonymous participation authority management system 
US20010011351A1 (en) *  20000121  20010802  Nec Corporation  Anonymous participation authority management system 
US7099471B2 (en)  20000324  20060829  Dategrity Corporation  Detecting compromised ballots 
US20060085647A1 (en) *  20000324  20060420  Neff C A  Detecting compromised ballots 
US20030028423A1 (en) *  20000324  20030206  Neff C. Andrew  Detecting compromised ballots 
US20070189519A1 (en) *  20000324  20070816  Neff C A  Detecting compromised ballots 
US20020007457A1 (en) *  20000324  20020117  C. Andrew Neff  Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multiauthority elections 
US20020128978A1 (en) *  20000324  20020912  Neff C. Andrew  Detecting compromised ballots 
US7389250B2 (en)  20000324  20080617  Demoxi, Inc.  Coercionfree voting scheme 
US6950948B2 (en)  20000324  20050927  Votehere, Inc.  Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multiauthority elections 
US7422150B2 (en)  20001120  20080909  Avante International Technology, Inc.  Electronic voting apparatus, system and method 
US20030034393A1 (en) *  20001120  20030220  Chung Kevin KwongTai  Electronic voting apparatus, system and method 
US7461787B2 (en)  20001120  20081209  Avante International Technology, Inc.  Electronic voting apparatus, system and method 
US20060169778A1 (en) *  20001120  20060803  Chung Kevin K  Electronic voting apparatus, system and method 
US7431209B2 (en)  20001120  20081007  Avante International Technology, Inc.  Electronic voting apparatus, system and method 
US20020077887A1 (en) *  20001215  20020620  Ibm Corporation  Architecture for anonymous electronic voting using public key technologies 
US20020103696A1 (en) *  20010129  20020801  Huang Jong S.  System and method for highdensity interactive voting using a computer network 
US7921033B2 (en)  20010129  20110405  Microsoft Corporation  System and method for highdensity interactive voting using a computer network 
US6865543B2 (en) *  20010309  20050308  Truvote, Inc.  Vote certification, validation and verification method and apparatus 
US20020138341A1 (en) *  20010320  20020926  Edward Rodriguez  Method and system for electronic voter registration and electronic voting over a network 
US7729991B2 (en)  20010320  20100601  BoozAllen & Hamilton Inc.  Method and system for electronic voter registration and electronic voting over a network 
US20050028009A1 (en) *  20010324  20050203  Neff C Andrew  Verifiable secret shuffles and their application to electronic voting 
US7360094B2 (en)  20010324  20080415  Demoxi, Inc.  Verifiable secret shuffles and their application to electronic voting 
US6817515B2 (en) *  20010425  20041116  Level 3 Communications, Inc.  Verifiable voting 
US8718283B2 (en)  20010427  20140506  Verizon Ireland Limited  System and method for processing a shared secret 
US20040117649A1 (en) *  20010427  20040617  William Whyte  System and method for processing a shared secret 
US20030046144A1 (en) *  20010828  20030306  International Business Machines Corporation  System and method for anonymous message forwarding and anonymous voting 
US20100170948A1 (en) *  20011001  20100708  Kevin KwongTai Chung  Method for decoding an optically readable sheet 
US7988047B2 (en)  20011001  20110802  Avante International Technology, Inc.  Method for decoding an optically readable sheet 
US20090020606A1 (en) *  20011001  20090122  Kevin KwongTai Chung  Electronic voting method and system employing a machine readable ballot envelope 
US7828215B2 (en)  20011001  20101109  Avante International Technology, Inc.  Reader for an optically readable ballot 
US20070170253A1 (en) *  20011001  20070726  Avante International Technology, Inc.  Electronic voting method and system employing a printed machine readable ballot 
US20060255145A1 (en) *  20011001  20061116  Chung Kevin K  Method for reading an optically readable sheet 
US20060202031A1 (en) *  20011001  20060914  Chung Kevin K  Reader for an optically readable ballot 
US7635088B2 (en)  20011001  20091222  Avante International Technology, Inc.  Electronic voting method and system employing a printed machine readable ballot 
US7614553B2 (en)  20011001  20091110  Avante International Technology, Inc.  Method for reading an optically readable sheet 
US7975920B2 (en)  20011001  20110712  Avante International Technology, Inc.  Electronic voting method and system employing a machine readable ballot envelope 
US7635087B1 (en)  20011001  20091222  Avante International Technology, Inc.  Method for processing a machine readable ballot and ballot therefor 
US6942142B2 (en)  20011002  20050913  HewlettPackard Development Company, L.P.  Voting ballot, voting machine, and associated methods 
US20030062408A1 (en) *  20011002  20030403  Barmettler James W.  Voting ballot, voting machine, and associated methods 
US20050021479A1 (en) *  20011212  20050127  Jorba Andreu Riera  Secure remote electronic voting system and cryptographic protocols and computer programs employed 
US7260552B2 (en)  20011212  20070821  Scytl Online World Security, Sa  Secure remote electronic voting system and cryptographic protocols and computer programs employed 
US20050269406A1 (en) *  20040607  20051208  Neff C A  Cryptographic systems and methods, including practical high certainty intent verification, such as for encrypted votes in an electronic election 
US20060000904A1 (en) *  20040630  20060105  France Telecom  Method and system for electronic voting over a highsecurity network 
US7819319B2 (en) *  20040630  20101026  France Telecom  Method and system for electronic voting over a highsecurity network 
US20060249578A1 (en) *  20050506  20061109  Fernando Morales  Method of confidential voting using personal voting codes 
US7995750B2 (en) *  20060706  20110809  Sap Ag  Privacypreserving concatenation of strings 
US20080019510A1 (en) *  20060706  20080124  Sap Ag  Privacypreserving substring creation 
US7986780B2 (en) *  20060706  20110726  Sap Ag  Privacypreserving substring creation 
US20080010467A1 (en) *  20060706  20080110  Sap Ag  Privacypreserving concatenation of strings 
US9569905B2 (en)  20061020  20170214  Barry Cohen  Electronic voting system 
US20080110985A1 (en) *  20061020  20080515  Barry Cohen  Electronic voting system 
US8061589B2 (en)  20061020  20111122  Barry Cohen  Electronic voting system 
US8526621B2 (en)  20061201  20130903  President And Fellows Of Harvard College  Method and apparatus for timelapse cryptography 
US20100185863A1 (en) *  20061201  20100722  Rabin Michael O  Method and apparatus for timelapse cryptography 
US7937270B2 (en) *  20070116  20110503  Mitsubishi Electric Research Laboratories, Inc.  System and method for recognizing speech securely using a secure multiparty computation protocol 
US20080172233A1 (en) *  20070116  20080717  Paris Smaragdis  System and Method for Recognizing Speech Securely 
US20090327141A1 (en) *  20070418  20091231  Rabin Michael O  Highly efficient secrecypreserving proofs of correctness of computation 
US20090177591A1 (en) *  20071030  20090709  Christopher Thorpe  Zeroknowledge proofs in large trades 
US20090289115A1 (en) *  20080430  20091126  Kevin KwongTai Chung  Optically readable marking sheet and reading apparatus and method therefor 
US8066184B2 (en)  20080430  20111129  Avante International Technology, Inc.  Optically readable marking sheet and reading apparatus and method therefor 
US8261985B2 (en)  20090407  20120911  Avante Corporation Limited  Manual recount process using digitally imaged ballots 
US20100252628A1 (en) *  20090407  20101007  Kevin KwongTai Chung  Manual recount process using digitally imaged ballots 
US20110010227A1 (en) *  20090708  20110113  Aulac Technologies Inc.  Antirigging Voting System and Its Software Design 
US8261986B2 (en)  20091021  20120911  Kevin KwongTai Chung  System and method for decoding an optically readable markable sheet and markable sheet therefor 
US20110089236A1 (en) *  20091021  20110421  Kevin KwongTai Chung  System and method for decoding an optically readable markable sheet and markable sheet therefor 
US20130170640A1 (en) *  20110429  20130704  International Business Machines Corporation  Fully Homomorphic Encryption 
US9083526B2 (en) *  20110429  20150714  International Business Machines Corporation  Fully homomorphic encryption 
US9716590B2 (en)  20110429  20170725  International Business Machines Corporation  Fully homomorphic encryption 
US8840022B1 (en)  20130315  20140923  Election Systems & Software, Llc  System and method for decoding marks on a response sheet 
US9742556B2 (en)  20150825  20170822  International Business Machines Corporation  Comparison and search operations of encrypted data 
US20170085544A1 (en) *  20150828  20170323  ElectionEurope  Method of Security and Verifiability of an Electronic Vote 
Also Published As
Publication number  Publication date  Type 

EP0697776A3 (en)  19990609  application 
DE69520714D1 (en)  20010523  grant 
EP0697776A2 (en)  19960221  application 
JPH0863533A (en)  19960308  application 
EP0697776B1 (en)  20010418  grant 
ES2156594T3 (en)  20010701  grant 
DE69520714T2 (en)  20010809  grant 
Similar Documents
Publication  Publication Date  Title 

Gennaro et al.  Algorithmic tamperproof (ATP) security: Theoretical foundations for security against hardware tampering  
BlakeWilson et al.  Unknown keyshare attacks on the stationtostation (STS) protocol  
Pedersen  Distributed provers with applications to undeniable signatures  
Zhang et al.  IDbased blind signature and ring signature from pairings  
Juels et al.  Coercionresistant electronic elections  
Delerablée et al.  Dynamic fully anonymous short group signatures  
US6950948B2 (en)  Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multiauthority elections  
Boyd et al.  Offline fair payment protocols using convertible signatures  
Guillou et al.  A “paradoxical” identitybased signature scheme resulting from zeroknowledge  
US6092051A (en)  Secure receiptfree electronic voting  
US4969189A (en)  Authentication system and apparatus therefor  
Lipmaa et al.  Designated verifier signature schemes: attacks, new security notions and a new construction  
Damgård et al.  A generalisation, a simpli. cation and some applications of paillier's probabilistic publickey system  
US7260552B2 (en)  Secure remote electronic voting system and cryptographic protocols and computer programs employed  
Cohen et al.  A robust and verifiable cryptographically secure election scheme  
Ohkubo et al.  An improvement on a practical secret voting scheme  
US6292897B1 (en)  Undeniable certificates for digital signature verification  
Petersen et al.  Selfcertified keysconcepts and applications  
Lipmaa  Verifiable homomorphic oblivious transfer and private equality test  
Baudron et al.  Practical multicandidate election system  
Lim et al.  A key recovery attack on discrete logbased schemes using a prime order subgroup  
Chang et al.  Using smart cards to authenticate remote passwords  
Pedersen  Noninteractive and informationtheoretic secure verifiable secret sharing  
US6178507B1 (en)  Data card verification system  
Damgård et al.  New convertible undeniable signature schemes 
Legal Events
Date  Code  Title  Description 

AS  Assignment 
Owner name: NEC CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SAKO, KAZUE;REEL/FRAME:007175/0563 Effective date: 19940901 Owner name: NEC RESEARCH INSTITUTE, INC., NEW JERSEY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KILIAN, JOSEPH JOHN;REEL/FRAME:007175/0565 Effective date: 19940901 

AS  Assignment 
Owner name: NEC CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NEC RESEARCH INSTITUTE, INC.;REEL/FRAME:008354/0651 Effective date: 19960212 

FPAY  Fee payment 
Year of fee payment: 4 

FPAY  Fee payment 
Year of fee payment: 8 

FPAY  Fee payment 
Year of fee payment: 12 